ITL #306   Data security: reputation risk number one

4 years, 7 months ago


Whether we like it or not, data security risks have entered the reputation management and crisis communications field. By Philippe Borremans.


You've heard it in the news; Facebook's leak, the breach which exposed personal details of 75,000 people, the Cathay Pacific data security breach and so on.

In October 2018 alone, the American Healthcare industry saw more than 2 million people's health data unlawful accessed. And that only includes those cases that have been declared.

With a clear shift in consumer perception, what used to be an Operational risk, is now a clear and present Reputational one.

Consider the following data from the Ping Identity 2018 Consumer Survey: Attitudes and Behaviour in a Post-Breach Era:


  • After a data breach, 78% of people would stop engaging with a brand
  • 49% would not sign up and use an online service or application that recently experienced a data breach.
  • 56% are not willing to pay anything to application or online service providers for added security to protect their personal information.
  • 59% prioritise the protection of their personal information when interacting with an online application or service, compared to only 12% who prioritise a convenient, straightforward user experience.

In addition to the collective cost of resolving a Data Privacy breach, the potential fines under GDPR (up to 10 million euros, or up to 2% of entire global turnover for the preceding fiscal year, whichever is higher), the threat of being unable to process data, and the legal liability – we can now add the Reputational Risk as well.

As the 2018 Global RepTrak® report from the Reputation Institute has clearly shown, different areas of a company’s corporate reputation can be impacted during and after a data privacy crisis.

“Not only is data security and privacy the number one reputational risk, but data ethics and trust is the number one reputational attribute. This is the first time we have seen one issue appear as both top positive and top potentially negative issue at the same time.” Bill Mew, influencer and advocate for digital ethics and digital transformation.

We are talking about a direct impact on the perception of governance and leadership, on universal stakeholder support and brand loyalty among the general public. In short, the "perfect storm" for a Crisis Communications professional.

It is time for corporate communicators and public relations professionals, those responsible for the reputation of their organisation, to step up in several ways:

Make data privacy & ethics a cultural attribute

Communications departments need to drive cultural change programmes to put data security on the corporate agenda from the boardroom to the shop floor. Working with the IT departments that ensure data protection, they need to introduce training schemes for employees and create internal awareness campaigns for staff at all levels.

Topics such as data ethics and data protection should be promoted in order to become a real brand attribute for the organisation. Internal and external trust around data is crucial and needs to be authentic to avoid this being seen as just be a marketing ploy.

Data privacy versus other corporate topics

Organisations need to be in tune with their customers. A recent survey from FleishmanHillard Fishburn found that the main issues that consumers expected companies to act on are now security and privacy, surpassing things like diversity and sustainability that had previously topped this list.

Take a stand on ethics and trust

Establish ethics and trust as core brand values: organisations need to move from a 'box-ticking' focus on GDPR and privacy compliance, to an ethical one focused on 'doing the right thing’. However, in order to gain competitive advantage and enhanced customer loyalty, an organisation needs to be 'authentically ethical'. This means behaving and acting ethically; living up to ethical standards, rather than just using them as window dressing.

  • Behave ethically focus on the ethical issue that matter to your customers, such as data privacy: implement cultural change programs to instil a focus on ethics throughout the business.
  • Act ethically when taking a stand, actions speak loader than words: take visible actions that demonstrate your ethical commitment.
  • Talk ethically be proud and loud: harness you ethical differentiation in your marketing and communications.


Communications professionals will have a key role to play in all of this; from cultural change through to brand amplification. They will also be responsible for building relationships with key external stakeholders and influencers – including press, analysts and social activists that focus on areas like privacy that matter to your customers.

These specialist influencers can be used as a sounding board for ethical ideas and an amplifier for ethical campaigns. They can help you independently assess or benchmark your data privacy policies and crisis management plans so as to ensure you adopt best practice in these areas. Being able to demonstrate efforts to adopt best practice in this way can also mitigate potential fines or legal exposure in the event of a calamity.

Plan for when, not if

Communication departments also need to incorporate data privacy and security risk into each step of their crisis communications plan.


Create clear internal procedures to report data breaches and data privacy issues, ensuring that the communications department is looped in. Prepare a data privacy crisis communications response plan, with processes to trigger its implementation. Ensure that the response plan includes communication plans to ensure coordination between internal stakeholders in the IT, Human Resources, Legal, Financial and Customer Service departments. It’s crucial to ensure all departments are fully prepared.


Be ready to reassure customers & stakeholders that you are taking the right action. Make it regular, up to date and relevant for each stakeholder segment. And do not forget your most important audience in the process: your own employees.

Use pre-established influencer relationships to counter hysteria or misinformation. Data Privacy breaches are high on the media radar and will get coverage. Make sure you reach out to pre-defined reporters and influencers in your space to add a balanced view to your communications.

"Newspapers tend to emphasise the massive damage of each data breach crisis, through citing victim experiences and magnifying the negative outcomes." Bokyung Kim, PhD, assistant professor of public relations, Rowan University.


Continue to protect your brand and customer relationships. Data privacy-related crises tend to have a long term impact. Explain clearly what went wrong and how you're making sure that you are implementing systems and procedures to limit future risks.

Demonstrate best practice to help minimise regulatory sanctions or fines. Legislation and disclosure requirements have been implemented across several countries and regions, make sure you follow up and document them.

Agencies & companies alike face a reputational risk

Some brands are already reacting to the "new" threat. Several companies are compelling their marketing & communication agencies to cover for the liability of a potential data breach.

"The amount of liability companies are asking agencies to accept can range from $5 million to $100 million or even unlimited liability", according to a recent article in the Wall Street Journal.

Again, it is time to plan for the when, not the if. Make sure your crisis communications plans are up to date and take into account data security & ethics.

A big thanks to Bill Mew for his insightful contribution to this article & corresponding white paper.

Interested in this topic? Request the white paper here.


The author

A Belgian national, Philippe Borremans sits on the IPRA Board. He is an independent public relations consultant based in Casablanca who specialises in online, risk and crisis communications. After starting his career at Porter Novelli International, he spent 10 years as PR manager at IBM. Philippe is a guest lecturer at several universities and produces PR podcast Wag the Dog FM.



[email protected]  




author"s portrait

The Author

Philippe Borremans

Philippe Borremans is an independent Public Relations consultant specialising in Emergency Risk & Crisis Communication and President of the International Public Relations Association (2021)..

mail the author
visit the author's website

Forward, Post, Comment | #IpraITL

We are keen for our IPRA Thought Leadership essays to stimulate debate. With that objective in mind, we encourage readers to participate in and facilitate discussion. Please forward essay links to your industry contacts, post them to blogs, websites and social networking sites and above all give us your feedback via forums such as IPRA’s LinkedIn group. A new ITL essay is published on the IPRA website every week. Prospective ITL essay contributors should send a short synopsis to IPRA head of editorial content Rob Gray email


Welcome to IPRA



July (5)
June (4)
May (5)
July (4)
June (4)
May (5)
July (4)
June (4)
May (5)
July (4)
June (5)
May (4)
July (5)
June (4)
May (4)
July (5)
June (4)
May (4)
July (5)
June (4)
May (5)
July (3)
June (4)
May (5)
July (4)
June (5)
May (5)
July (5)
June (4)
May (4)
July (4)
June (3)
May (3)
June (8)
June (17)
March (15)
June (14)
April (20)
June (16)
April (17)
June (16)
April (13)
July (9)
April (15)
Follow IPRA: